DNS(4) -- dns功能实现-配置正向解析和反向解析以及DNS递归查询示例



1 DNS配置示例

1.1 DNS解析类型

DNS在一个区域中有正向解析和反向解析两种类型:

  • 正向解析:

    FQDN->IP

  • 反向解析:

    IP->FQDN

    反向解析用到根域下一个特殊的名为ARPA域,叫反向解析域;

    反向解析域下面有一个in-addr,再往下为IP地址;

    以172.20.0.100为例,查询路线为访问根–>arpa域–>in-addr–>172–>20–>0–>100,但是在PTR记录中要反着写:100.0.20.172.in-addr-arpa.;

1.2 配置正向解析

自定义域分为如下两类:

  • 主机域:
    • 1.主机域其实是一个假域;
    • 2.主机域其实是不能解析到互联网上;
    • 3.主机域它只对局域网(内网)提供服务;
  • 业务域:
    • 1.业务域一般都是真实可用的;
    • 2.业务域则为一个真正需要对外提供服务的域名;

以xuzhichao.com域为例进行配置。

  1. 启动named服务:

    [root@dns01 ~]# systemctl start named.service
    
    [root@dns01 ~]# rndc status
    version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7 (Extended Support Version) <id:7107deb>
    running on dns01: Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020
    boot time: Fri, 16 Jul 2021 15:51:04 GMT
    last configured: Fri, 16 Jul 2021 15:54:19 GMT
    configuration file: /etc/named.conf
    CPUs found: 1
    worker threads: 1
    UDP listeners per interface: 1
    number of zones: 104 (97 automatic)
    debug level: 0
    xfers running: 0
    xfers deferred: 0
    soa queries in progress: 0
    query logging is OFF
    recursive clients: 0/900/1000
    tcp clients: 8/150
    server is up and running
    
    [root@dns01 ~]# ss -ntulp
    Netid State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
    udp   UNCONN     0      0      192.168.50.70:53                            *:*                   users:(("named",pid=1743,fd=515))
    udp   UNCONN     0      0      192.168.20.70:53                            *:*                   users:(("named",pid=1743,fd=514))
    udp   UNCONN     0      0      192.168.2.123:53                            *:*                   users:(("named",pid=1743,fd=513))
    udp   UNCONN     0      0         127.0.0.1:53                            *:*                   users:(("named",pid=1743,fd=512))
    udp   UNCONN     0      0             [::1]:53                         [::]:*                   users:(("named",pid=1743,fd=516))
    tcp   LISTEN     0      10     192.168.50.70:53                            *:*                   users:(("named",pid=1743,fd=24))
    tcp   LISTEN     0      10     192.168.20.70:53                            *:*                   users:(("named",pid=1743,fd=23))
    tcp   LISTEN     0      10     192.168.2.123:53                            *:*                   users:(("named",pid=1743,fd=22))
    tcp   LISTEN     0      10        127.0.0.1:53                            *:*                   users:(("named",pid=1743,fd=21))
    tcp   LISTEN     0      10            [::1]:53                         [::]:*                   users:(("named",pid=1743,fd=25))
    
  2. 主配置文件修改如下:

    [root@dns01 ~]# cat /etc/named.conf
    options {
    	listen-on port 53 { localhost; };
    	listen-on-v6 port 53 { localhost; };
    	directory 	"/var/named";
    	dump-file 	"/var/named/data/cache_dump.db";
    	statistics-file "/var/named/data/named_stats.txt";
    	memstatistics-file "/var/named/data/named_mem_stats.txt";
    	recursing-file  "/var/named/data/named.recursing";
    	secroots-file   "/var/named/data/named.secroots";
    	allow-query     { any; };
    	recursion yes;
    	dnssec-enable yes;
    	dnssec-validation yes;
    
    	bindkeys-file "/etc/named.root.key";
    
    	managed-keys-directory "/var/named/dynamic";
    
    	pid-file "/run/named/named.pid";
    	session-keyfile "/run/named/session.key";
    };
    
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    
    zone "." IN {
    	type hint;
    	file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    include "/etc/named.xuzhichao.com.zone";    <==新增一个区域配置文件
    
  3. 新增区域配置文件,主要区域配置的属主为root,属组为named,权限为640:

    #修改区域配置文件属性
    [root@dns01 ~]# chgrp named /etc/named.xuzhichao.com.zone 
    [root@dns01 ~]# chmod 640 /etc/named.xuzhichao.com.zone
    
    #区域配置文件内容:
    [root@dns01 ~]# cat /etc/named.xuzhichao.com.zone
    zone "xuzhichao.com" IN {
    		type master;
    		file "xuzhichao.com.zone";    <==指定区域解析文件名称,此处为相对路径,存放在/var/named/目录下;
    };
    
  4. 新增区域解析文件:

    [root@dns01 ~]# cat /var/named/xuzhichao.com.zone 
    $TTL 86400
    
    xuzhichao.com.	IN	SOA	ns1.xuzhichao.com.	mail.xuzhichao.com. (
    2021071601
    10800
    900
    604800
    86400
    )
    
    xuzhichao.com.	IN	NS	ns1.xuzhichao.com.
    xuzhichao.com.	IN	NS	ns2.xuzhichao.com.
    
    ns1		IN	A	192.168.20.70
    ns2		IN	A	192.168.20.71
    
    xuzhichao.com.	IN	MX	 10 mx1.xuzhichao.com.
    mx1		IN	A	 192.168.20.11
    
    ;业务域
    www.xuzhichao.com.	IN	A	192.168.20.31
    www.xuzhichao.com.	IN	A	192.168.20.32
    
    web.xuzhichao.com.	IN	CNAME	www.xuzhichao.com.
    
    ;主机域
    
    nginx02.xuzhichao.com.	IN	A	192.168.20.22
    ngxin03.xuzhichao.com.	IN	A	192.168.20.23
    
    nginx-lb01.xuzhichao.com.	IN	A	192.168.20.19
    nginx-lb02.xuzhichao.com.	IN	A	192.168.20.20
    
    apache01.xuzhichao.com.		IN	A	192.168.20.21
    
    lvs01.xuzhichao.com.	IN	A	192.168.20.31
    lvs02.xuzhichao.com.	IN	A	192.168.20.32
    
    mysql01.xuzhichao.com.	IN	A	192.168.20.50
    
    redis01.xuzhichao.com.	IN	A	192.168.20.61
    
    nfs01.xuzhichao.com.	IN	A	192.168.20.30
    
    dns01.xuzhichao.com.	IN	A	192.168.20.70
    
    #修改文件权限属性:
    [root@dns01 ~]# chgrp named /etc/named.xuzhichao.com.zone 
    [root@dns01 ~]# chmod 640 /etc/named.xuzhichao.com.zone
    
  5. 检测配置文件语法:

    [root@dns01 ~]# named-checkconf 
    [root@dns01 ~]# named-checkzone xuzhichao.com /var/named/xuzhichao.com.zone 
    zone xuzhichao.com/IN: loaded serial 2021071601
    OK
    
  6. 重启named服务:

    [root@dns01 ~]# rndc reload
    server reload successful
    
    或:
    [root@dns01 ~]# systemctl restart named.service
    
  7. 测试域名解析:

    #1.测试DNS的轮询功能
    [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com
    
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> @192.168.20.70 www.xuzhichao.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28384
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.xuzhichao.com.		IN	A
    
    ;; ANSWER SECTION:
    www.xuzhichao.com.	86400	IN	A	192.168.20.32
    www.xuzhichao.com.	86400	IN	A	192.168.20.31
    
    ;; AUTHORITY SECTION:
    xuzhichao.com.		86400	IN	NS	ns1.xuzhichao.com.
    xuzhichao.com.		86400	IN	NS	ns2.xuzhichao.com.
    
    ;; ADDITIONAL SECTION:
    ns1.xuzhichao.com.	86400	IN	A	192.168.20.70
    ns2.xuzhichao.com.	86400	IN	A	192.168.20.71
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.20.70#53(192.168.20.70)
    ;; WHEN: Fri Jul 16 23:55:56 CST 2021
    ;; MSG SIZE  rcvd: 146
    
    #轮询访问
    [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short
    192.168.20.32
    192.168.20.31
    [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short
    192.168.20.32
    192.168.20.31
    [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short
    192.168.20.31
    192.168.20.32
    
    #2.测试CNAME记录
    [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com 
    
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> @192.168.20.70 web.xuzhichao.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65041
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;web.xuzhichao.com.		IN	A
    
    ;; ANSWER SECTION:
    web.xuzhichao.com.	86400	IN	CNAME	www.xuzhichao.com.
    www.xuzhichao.com.	86400	IN	A	192.168.20.32
    www.xuzhichao.com.	86400	IN	A	192.168.20.31
    
    ;; AUTHORITY SECTION:
    xuzhichao.com.		86400	IN	NS	ns2.xuzhichao.com.
    xuzhichao.com.		86400	IN	NS	ns1.xuzhichao.com.
    
    ;; ADDITIONAL SECTION:
    ns1.xuzhichao.com.	86400	IN	A	192.168.20.70
    ns2.xuzhichao.com.	86400	IN	A	192.168.20.71
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.20.70#53(192.168.20.70)
    ;; WHEN: Sat Jul 17 00:02:16 CST 2021
    ;; MSG SIZE  rcvd: 164
    
    [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short
    www.xuzhichao.com.
    192.168.20.32
    192.168.20.31
    [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short
    www.xuzhichao.com.
    192.168.20.32
    192.168.20.31
    [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short
    www.xuzhichao.com.
    192.168.20.31
    192.168.20.32
    
    #3.测试A记录
    [root@xuzhichao ~]# dig @192.168.20.70 nginx02.xuzhichao.com +short
    192.168.20.22
    
    #4.修改客户端的dns为192.168.20.70.测试ping域名访问:
    [root@dns01 named]# vim /etc/resolv.conf
    [root@dns01 named]# ping dns01.xuzhichao.com
    PING dns01.xuzhichao.com (192.168.20.70) 56(84) bytes of data.
    64 bytes from dns01.xuzhichao.com (192.168.20.70): icmp_seq=1 ttl=64 time=0.009 ms
    64 bytes from dns01.xuzhichao.com (192.168.20.70): icmp_seq=2 ttl=64 time=0.035 ms
    

1.3 配置反向解析

为上面的正向解析配置反向解析域。

  1. 增加区域配置文件:

    [root@dns01 ~]# cat /etc/named.xuzhichao.com.zone
    zone "xuzhichao.com" IN {
    		type master;
    		file "xuzhichao.com.zone";
    };
    
    zone "20.168.198.in-addr.arpa" IN {
    		type master;
    		file "20.168.198.in-addr.arpa.zone";
    };
    
  2. 增加区域解析文件:

    [root@dns01 named]# cat /var/named/20.168.198.in-addr.arpa.zone
    $TTL 86400
    
    @	IN	SOA	ns1.xuzhichao.com.	mail.xuzhichao.com. (
    2021071601
    10800
    900
    604800
    86400
    )
    
    @	IN	NS	ns1.xuzhichao.com.
    @	IN	NS	ns2.xuzhichao.com.
    
    70	IN	PTR	ns1.xuzhichao.com.
    71	IN	PTR	ns2.xuzhichao.com.
    
    ;业务域
    31	IN	PTR	www.xuzhichao.com.
    32 	IN	PTR	www.xuzhichao.com.
    
    ;主机域
    
    22	IN	PTR	nginx02.xuzhichao.com.
    23	IN	PTR	ngxin03.xuzhichao.com.
    
    19	IN	PTR	nginx-lb01.xuzhichao.com.
    20	IN	PTR	nginx-lb02.xuzhichao.com.
    
    21	IN	PTR	apache01.xuzhichao.com.
    
    31	IN	PTR	lvs01.xuzhichao.com.
    32	IN	PTR	lvs02.xuzhichao.com.
    
    50	IN	PTR	mysql01.xuzhichao.com.
    
    61	IN	PTR	redis01.xuzhichao.com.
    
    30	IN	PTR	nfs01.xuzhichao.com.
    
    70	IN	PTR	dns01.xuzhichao.com.
    
    
    [root@dns01 named]# chgrp named 20.168.198.in-addr.arpa.zone 
    [root@dns01 named]# chmod 640 20.168.198.in-addr.arpa.zone
    
  3. 检测语法,重启bind服务:

    #检测语法
    [root@dns01 named]# named-checkconf
    [root@dns01 named]# named-checkzone 20.168.198.in-addr.arpa /var/named/20.168.198.in-addr.arpa.zone 
    zone 20.168.198.in-addr.arpa/IN: loaded serial 2021071601
    OK
    
    #重启bind服务
    [root@dns01 named]# rndc reload
    server reload successful
    
    [root@dns01 named]# rndc status
    version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7 (Extended Support Version) <id:7107deb>
    running on dns01: Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020
    boot time: Sat, 17 Jul 2021 01:39:12 GMT
    last configured: Sat, 17 Jul 2021 01:39:16 GMT
    configuration file: /etc/named.conf
    CPUs found: 1
    worker threads: 1
    UDP listeners per interface: 1
    number of zones: 105 (97 automatic)
    debug level: 0
    xfers running: 0
    xfers deferred: 0
    soa queries in progress: 0
    query logging is OFF
    recursive clients: 0/900/1000
    tcp clients: 8/150
    server is up and running
    
  4. 客户端测试反向域名解析:

    #192.168.20.31配置了两个域名,会进行轮询访问
    [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70
    
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> -x 192.168.20.31 @192.168.20.70
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10821
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;31.20.168.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    31.20.168.192.in-addr.arpa. 86400 IN	PTR	lvs01.xuzhichao.com.
    31.20.168.192.in-addr.arpa. 86400 IN	PTR	www.xuzhichao.com.
    
    ;; AUTHORITY SECTION:
    20.168.192.in-addr.arpa. 86400	IN	NS	ns1.xuzhichao.com.
    20.168.192.in-addr.arpa. 86400	IN	NS	ns2.xuzhichao.com.
    
    ;; ADDITIONAL SECTION:
    ns1.xuzhichao.com.	86400	IN	A	192.168.20.70
    ns2.xuzhichao.com.	86400	IN	A	192.168.20.71
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.20.70#53(192.168.20.70)
    ;; WHEN: Sat Jul 17 09:46:24 CST 2021
    ;; MSG SIZE  rcvd: 174
    
    [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70 +short
    www.xuzhichao.com.
    lvs01.xuzhichao.com.
    [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70 +short
    lvs01.xuzhichao.com.
    www.xuzhichao.com.
    
    #测试其他的PTR记录
    [root@xuzhichao ~]# dig -x 192.168.20.50 @192.168.20.70 +short
    mysql01.xuzhichao.com.
    [root@xuzhichao ~]# dig -x 192.168.20.21 @192.168.20.70 +short
    apache01.xuzhichao.com.
    [root@xuzhichao ~]# dig -x 192.168.20.19 @192.168.20.70 +short
    nginx-lb01.xuzhichao.com.
    

1.4 DNS递归查询

  • 如果你要建立一个授权域名服务器,仅提供本地已存在域名解析即可;那么不要开启 recursion 功能。
  • 如果你要建立一个递归 DNS 服务器, 那么需要开启 recursion 功能。
  • 如果你的递归DNS服务器有公网IP地址, 你必须开启访问控制功能,只有合法用户才可以发询问。

递归配置参数如下:

#开启递归查询,yes表示开启,no表示关闭
recurison yes|no

#允许进行递归查询的客户端:
allow-recursion {address_match_list | any | none };

1.4.1 开启递归查询

  1. 修改配置文件如下:

    [root@dns01 named]# cat /etc/named.conf
    options {
    	......
    	recursion yes;
    	allow-recursion { 192.168.20.0/24; 192.168.50.0/24; };
    	......
    }
    
    [root@dns01 named]# named-checkconf 
    [root@dns01 named]# rndc reload
    server reload successful
    
  2. 客户端进行测试:

    #1.可以解析DNS存在的域名
    [root@xuzhichao ~]# dig nginx02.xuzhichao.com @192.168.20.70 +short
    192.168.20.22
    
    #2.可以解析DNS上不存在的域名,使用就是递归查询
    [root@xuzhichao ~]# dig www.baidu.com @192.168.20.70 +short
    www.a.shifen.com.
    110.242.68.4
    110.242.68.3
    

1.4.2 关闭递归查询

  1. 配置文件修改如下:

    [root@dns01 named]# cat /etc/named.conf
    options {
    	......
    	recursion no;
    	//allow-recursion { 192.168.20.0/24; 192.168.50.0/24; };
    	......
    }
    
    [root@dns01 named]# named-checkconf 
    [root@dns01 named]# rndc reload
    server reload successful
    
  2. 客户端测试:

    #1.仍然可以解析DNS存在的域名
    [root@xuzhichao ~]# dig -x 192.168.20.19 @192.168.20.70 +short
    nginx-lb01.xuzhichao.com.
    
    #2.不能解析DNS服务器上不存在的域名,即无法进行递归查询
    [root@xuzhichao ~]# dig www.baidu.com @192.168.20.70 +short
    
posted @ 2021-07-18 00:12  向往自由的独行者  阅读(884)  评论(0编辑  收藏  举报